Friday, February 29, 2008

Before I get to a really well done op-ed by Leslie Harris of the Center for Democracy & Technology on the privacy concerns posed by the REAL ID Act let's do a quick review on what's happening in the states.

In 2007, six states -- Maine, Montana, New Hampshire, Oklahoma, South Carolina and Washington -- took the step of passing laws refusing to comply with the federal law because of the costs, federal imposition on state practice and the potential threats to individual privacy.

While the U.S. Department of Homeland Security said it cannot compel states to follow the law, non-compliant driver's licenses cannot be used as ID to board commercial airplanes or enter federal buildings after May 11, when the act takes effect.

Montana, South Carolina and Maine are currently the only three states whose residents won't be able to use their driver's licenses to board aircraft after the May deadline. Those three have failed, so far, to file for an extension giving them another 19 months - until January 2010 - to start verifying the identities of driver’s license applicants.

The goal of the Real ID Act, to make the driver's license a more reliable form of identity, is a good one. Setting minimum standards to ensure that the process of getting a driver's license is more secure and making it tougher to fake a driver's license isn't unreasonable; however, almost everything else associated with this program is....Simply put, there are no privacy rules. States are simply encouraged to follow a set of "best practices" for protecting privacy. But there are no consequences if states choose not to do so and thus no guarantees that the personal information collected for Real ID won't be used for a variety of state and even federal uses, populating and repopulating numerous government databases and easily available to businesses and other interests.

...

While the government disavows the notion that Real ID will quickly become a national ID card, the failure to provide privacy rules and limitations on secondary uses gives lie to that assertion. Indeed the ink is not yet dry on the new regulation, and the department is already speculating on a variety of other government purposes for which a Real ID card may be required, such as buying cold medicines that contain ingredients used to create methamphetamines. And Congress has already thrown around proposals that would require a Real ID for employment or to receive federal housing benefits.

At the end of the day, the Real ID regulations leave open the strong possibility that we will soon have a centralized ID database, one housing a wealth of personal data on virtually every American citizen. While the current DHS rules haven't made a decision one way or the other, DHS makes clear that it strongly supports the use of a centralized database for purposes of Real ID. ...

If the DHS and states choose to go that route, the security risks are enormous; the potential for abuse by government and business are mind-bending. A central database containing that much information creates an irresistible target for identity thieves, terrorists or other computer criminals, not to mention unscrupulous government employees. Click here to read the article in its entirety.

Anytime one of the President's "bizarro world" press conferences takes place - yesterday's lasting a mind bending 45 minutes - one feels the obligation to correct just a few of the most egregious lies.

In terms of this blog, the correction would be of the President's essential claim that Democrats are trying to kill us all by not giving telecom companies immunity. Thankfully, the ACLU jumped at the opportunity to do this for us.

Before we get to the ACLU'sslap down of the President, the New York Times reportson some of the most outrageously disingenuousfear mongering in American history:

Mr. Bush said again that renewing the surveillance legislation is “a very urgent priority,” and that it must include controversial provisions that would shield telecommunications companies from wholesale lawsuits over their assistance in monitoring the phone calls and e-mail messages of suspected terrorists without warrants.

Failure to give the legal protection to the telecom companies would not only be unwise and dangerous policy but plain unfair, the president said at a White House news conference. The companies were told by government leaders after the attacks of Sept. 11, 2001, “that their assistance was legal and vital to national security,” the president said. “Allowing these lawsuits to proceed would be unfair.”

Contrary to what administration critics say, “people who analyze the program fully understand that America’s civil liberties are well protected,” Mr. Bush said....

If the final legislation does not include protection for the companies, a wave of lawsuits could reveal how the United States conducts surveillance “and give Al Qaeda and others a road map as to how to avoid surveillance,” Mr. Bush said on Thursday.

Without the cooperation of private companies, “we cannot protect our country from terrorist attack,” the president declared, adding that the dispute was “not a partisan issue.”

...he adopted unusually robust language — saying, for instance, that it was “dangerous, just dangerous” for the legislation to be delayed......

And Senator Edward M. Kennedy of Massachusetts said the president was using “the specter of terrorism” to push his own agenda.

“If the telecommunications companies didn’t break the law, they do not need immunity,” the senator said. “If they broke the law, the American people deserve to know the size and scope of their lawbreaking. Adhering to the rule of law would not ‘aid our enemies’ — it would uphold the very principles we are fighting for. The President’s position has nothing to do with protecting Americans and everything to do with sweeping under the rug illegal activity by his administration and his corporate partners.”

"Contrary to the president’s false claim that those suing the telecoms are doing so because of a ‘financial gravy train," those who are seeking justice against the companies that sold out their privacy are not in it for the money. This is about the rule of law, and about insisting that corporations not be treated as above the law. You follow the rules, you don’t get sued. It’s as simple as that. Americans deserve their day in court.

"As for getting the help of these companies in the future, the president conveniently fails to mention that the companies will have immunity if they follow the law – namely FISA. For years, the telephone companies knowingly violated that law and should be held accountable. Because the administration does not want this lawlessness aired publicly, Bush is trying to prevent the courts from doing their job and is now goading Congress to bait them into aiding his administration’s cover-up. A full and public airing of the facts is necessary and overdue. The bottom line in all of these cases is that these giant companies must be held accountable for violating the law and dissuaded from violating the law in the future."

The following can be attributed Michelle Richardson, Legislative Consultant for the American Civil Liberties Union:

"The president continues to misrepresent the situation with FISA. Fear mongering and making unsubstantiated claims of lost intelligence does not help Congress reach a resolution. President Bush’s concerns can only be taken as seriously as his actions. Let’s not forget the facts - the Protect America Act expired because he flatly refused to sign a second extension. House Democrats should be lauded for standing strong on their principles and supporting the Constitution. The president can’t have it both ways. He can’t dig his heels in and then complain that nothing is moving. The president will have to lie in the bed he made while he waits for Congress to finish its job."To read more about the ACLU’s work on FISA, go to: www.aclu.org/fisa

Thursday, February 28, 2008

By my last count, seventeen states are seeking to reject Real ID, in large part because of privacy and civil liberties concerns, but also because the federal government is not contributing enough to the program’s enormous cost.

The debate going on over this "national ID" program continues unabated in the states, with some moving towards legal rejection, others moving towards acceptance.

After seeming dead in the morning, a bill objecting to a federal driver's license law passed the Senate Wednesday night after passionate debate. The measure, ultimately passed with three dissenting votes, would block state participation in the REAL ID Act, which aims to create a national standard for driver's licenses and other identification cards in the name of homeland security...."As West Virginians, we have some tolerance of the federal government, but very little,'' the Randolph County Republican said. Noting that the Senate bill was supported by the American Civil Liberties Union as well as the National Rifle Association, Barnes said the REAL ID Act amounts to a violation of privacy because it would tie state DMV computer records in with a national database.But alas, not all states are as forward thinking on this big brother power grab, as North Carolina moved the opposite direction. Channel 14 out of Charlotte reports:

Unlike 17 other states, North Carolina is moving full steam ahead with the plan. This summer getting that license to drive will change big time. The change is in response to security changes....

In the years ahead federal requirements will include showing a birth certificate or passport to prove identity. The process will allow DMV workers to scan that information to make sure you are who you say you are. DMV officials admit it could also create longer lines....Officials in 17 other states disagree and are not going along with the plan. The problem for residents of those states is they will then need a passport to enter any federal building or board any flight by 2014 at the latest.I will be on a conference call on Friday with a coalition of California organizations dedicated to preventing the REAL ID act from ever becoming law in our state. So stay tuned, I'll have a lot more info on this critical issue in coming days and weeks.

Wednesday, February 27, 2008

AB 1298 - a bill the Consumer Federation of California actively supported and was signed into law last year - is now in the process of being implemented. It appears - as is often with California - other states have taken notice of the law and are going to follow suit.

California's innovative data security breach notification law now also applies to medical information and health insurance data, thanks to a bill that expanded the regulation, which was signed by Gov. Arnold Schwarzenegger (R) in October and took effect Jan. 1. One expert says other states likely will consider this kind of expansion for their own laws....The new law expansion, A.B. 1298, has three main parts, says Hirsch. First, security breach notification rules now apply to two new categories — medical information and health insurance information. Providers' previous breaches may not have triggered an obligation to disclose, even if data included medical information. "Prior to Jan. 1, the definition of 'personal information' was quite specific and somewhat narrow. Generally, if the breach didn't involve a Social Security number or an account number, there was no legal obligation to notify," explains Hirsch, who is a partner with Sonnenschein Nath & Rosenthal LLP....A second aspect of A.B. 1298 expands the state's medical privacy law to apply to a broader range of technology companies that now are beginning to offer personal health records (PHRs), Hirsch says.

"Previously, [the state Confidentiality of Medical Information Act] covered any business that maintained medical information for the primary purpose of making it available for treatment. But as big companies such as Microsoft and Google started to express interest in PHR products, [legislators] realized that those companies are not primarily about PHRs and didn't want them to escape regulation. It's a fairly small change, but [one that's] needed to close a loophole. It also reflects the recent movement toward imposing privacy regulation on other types of health care technology ventures, such as regional health information organizations," Hirsch says.Click here to read the article in its entirety.

Monday, February 25, 2008

We all consider our healthcare information to be extremely personal and expect the government to protect it from falling into the wrong hands. The World Privacy Forum has published two new documents, a legal and policy analysis of the privacy issues in Personal Health Records (PHRs), and a consumer advisory about the serious privacy risks some PHRs pose.This from Pam Dixon of the World Privacy Forum: "Much of the discussion around PHRs has been oriented toward how they benefit consumers, with almost no meaningful or detailed discussion of the privacy risks. As a result, few consumers have the ability to make genuinely informed decisions about these tools. For example, many consumers assume that because a PHR involves health-related information, that special privacy protections must apply. However, there are different varieties of PHRs and PHR companies, some of which do not fall under the federal privacy rules that are usually applied to health information."Computer World Reports on the new study:

In some cases, people whose health care information is stored in online personal health records (PHR) systems may be exposed to serious data privacy risks, according to a warning issued by a privacy advocacy group.

That's because not all PHR systems are covered by the federal Health Insurance Portability and Accountability Act, the World Privacy Forum said in a 16-page report released today (download PDF). The WPF contended that as a result, many of the privacy protections offered under the HIPAA statute don't apply to the personal health care data being maintained in such systems.

...

But people need to be aware that the systems may fall outside of HIPAA's protective umbrella, said Pam Dixon, the group's executive director. The HIPAA privacy rules cover health plans, doctors, hospitals, clinics, nursing homes and even researchers working with medical data collected from those entities, she said. But commercial PHR systems maintained by IT vendors or services providers and supported by means such as advertising may not come under HIPAA's purview, according to Dixon.

And even in cases in which a PHR system is covered by HIPAA, there are circumstances under which an individual's medical records may not be protected, Dixon said. For instance, she pointed to medical information that a person puts into the PHR system on his or her own behalf.

There are several problems that could result from the lack of privacy protections, Dixon said. For starters, she claimed, health records could lose their privileged status if a patient authorizes a doctor to send a copy of the information to a PHR system that isn't covered by the HIPAA mandates.

"Many consumers have this deeply held belief that their health information, no matter where it travels, is protected in the same way as when you have a doctor/patient relationship," Dixon said. In reality, consenting to have data transmitted to a non-covered system likely would be viewed as an indication that you had waived your privacy privilege, she added.

Health information stored in commercial PHR systems is also less protected against subpoenas than it otherwise would be, Dixon asserted. Under HIPAA, if someone seeks to subpoena medical records about an individual from a covered entity, the patient has to be informed first. But that protection doesn't apply to PHRs in all instances, she said.

...Even more worrisome to Dixon, though, is the potential for protected medical information stored in PHRs to be used for marketing purposes. HIPAA explicitly prohibits such uses, but the terms under which many PHR systems are operated could enable their owners to sell personal health data to marketers, she said.

People should be aware of such issues when choosing whether to use PHR systems, Dixon said. She added that the operators of PHR systems should be required to clearly disclose whether they are covered under HIPAA and what sort of privacy protections they offer.

Thursday, February 21, 2008

With the overwhelming popularity of websites like Facebook and Myspace, privacy has been placed on the back burner in the name of social internet networking. Facebook and Myspace pages have the potential to reveal a considerable amount of information about a user's lifestyle, interests, and goals. Depending on the user's settings, co-workers, employers, and certain family members could have access to information about the user that may be better left unknown.

Many Facebook and Myspace users don't consider these privacy issues when posting information about themselves. However, in recent months users have been becoming increasingly conscious of privacy concerns, as Facebook has been criticized for not allowing people to permanently delete their accounts and personal information from the site as well as their use of "Beacon" (no longer in use by Facebook) - a technology that tracks user's online purchases and informs their friends.

A co-worker apologized to me recently for being slow on a task. “It’s probably just your insomnia from last night,” I said. She was confused about how I knew, but I reminded her we were Facebook friends, and that she had posted a “status update” about her sleeplessness.

It’s a common phenomenon: people “friending” work colleagues on Facebook and then discovering that — as Seinfeld’s George Costanza would melodramatically put it — “worlds collide.” I gained all sorts of insights into another young co-worker when her college friends left reminiscence-filled birthday wishes on her Facebook “wall.”

Facebook was in the news this month for its disturbing policy of making it all but impossible for users to quit the site and erase their personal information. The issue was presented as one of privacy, which it is, but it is more precisely a matter of what the sociologist ErvingGoffman called “identity management,” which takes on whole new levels on the Internet.

Goffman argued that people spend much of their lives managing their identity through “presentation of self.” Offline, people use clothing, facial expressions, and the revealing and withholding of personal information to convey to the world who they are, or who they want to be taken to be.

The physicality of the offline world provides built-in protections. When people talk to a group of friends, they can look around to see who is listening. When they buy a book or rent a video, if they pay in cash, no record is made connecting them to the transaction.

It’s more complicated online. Social networking sites like Facebook and MySpace create identities for people, and disseminate information about them to large numbers of people.

...

What Web sites need to do — and what the government should require them to do — is give users as much control over their identities online as they have offline. Users should be asked if they want information to be viewable by others, and by whom: Their friends? Everyone in the world? Privacy settings, which allow for this kind of screening, should be prominent, clear and easily managed. (I’m not sure I was part of the intended audience for my colleague’s college-years anecdotes.)

Before Web sites disseminate information the user did not ask to share, like an online purchase, the user should be notified and should have to affirmatively “opt in.” It should be easy for users to disappear from a Web site that they have been part of, or simply to delete some information about themselves.

In a visit to the editorial board not long ago, a top Google lawyer made the often-heard claim that in the Internet age, people — especially young people — do not care about privacy the way they once did. It is a convenient argument for companies that make money compiling and selling personal data, but it’s not true. Protests forced Facebook to modify Beacon and to ease its policies on deleting information. Push-back of this sort is becoming more common.

No one should have personal data stored or shared without their informed, active consent. If they still want to tell the world — including job interviewers and employers — about their wild weekends, they’re on their own.

Wednesday, February 20, 2008

Some real bad news to report from the whole "freedom", "consitution", and "privacy" front. The Supreme Court dismissed a challenge by the ACLU to President Bush's warrantless wiretapping program. In the simplest of terms, the court essentially is saying if you can prove you were wiretapped then you have a case, but, because the program is secret, no one can prove they were...therefore there's no reason to go to court! My head hurts!

The court's refusal to hear the case is a victory for the White House and the president's bold use of his powers as commander in chief. Though not a ruling on the legality of Bush's wiretapping policy, it all but forecloses a successful legal attack on it before the president leaves office early next year. In the meantime, Congress and the White House are negotiating new rules for electronic eavesdropping....Lawyers for the American Civil Liberties Union went to court, hoping to win a ruling declaring that Bush had overstepped his powers. "The president is bound by the laws that Congress enacts. He may with disagree with those laws, but he may not disobey them," they said in the appeal to the Supreme Court.

But Bush's lawyers successfully invoked two legal doctrines making it difficult to challenge the government's anti-terrorism policies. First, they said, challengers must show that they had their phone calls or e-mails intercepted. Otherwise, they have no "standing" to sue because they have no injury to complain of. Second, the government said, the entire program was secret, and under the "state secrets privilege," plaintiffs cannot obtain information on whether they were targeted for surveillance. When combined, the two doctrines make it almost impossible for most challengers to win a hearing in court. "They say you need certain information to proceed. And that is exactly the information the government won't give you," said Jameel Jaffer, director of the ACLU's National Security Program. "If you accept these doctrines, this program is entirely immune from judicial review. It's hard to be optimistic today."Click here to read the article in its entirety.

Tuesday, February 19, 2008

I found this to be an enlightening article in the American Chronicle about ways in which the the Patriot Act could have an effect on consumers, most notably in terms of financial transactions. I don't think I'm going out on a limb by saying this topic has received very little coverage or attention in the press, despite some of the Act's far reaching privacy implications.

There are significant flaws in the Patriot Act, flaws that threaten your fundamental freedoms by giving the government the power to access your medical records, tax records, information about the books you buy or borrow without probable cause, and the power to break your door down at your home and conduct unconstitutional searches or if your not home search your home or business in secret without telling you for weeks, months, or even indefinitely....The current act encourages financial institutions to collect certain data to identify customers and their transactions in case any of the activity should be flagged as "suspicious" by a government agency. "Suspicious" in most cases means involving any foreign nationals or corporations. The Patriot Act considers any such accounts or transactions worthy of intense scrutiny. (Although the scrutiny will, of course, be more severe for certain nationalities than for others.)

What if you are a US-born, US citizen, do not have any arrest record, and are not involved in any type of criminal activity? If you´d just like to open a bank account or engage in another banking transaction, can a bank force you to provide your social security number? How about fingerprinting you? Is either of these strictly required by law? Not exactly – although if you do not wish to provide your social security number you will have to obtain an alternate taxpayer identification number. This information (along with your name, address, and date of birth) is used as part of the required Customer Identification Program (CIP) used to verify customer identity (and to compare customer information with lists of known terrorist suspects). Such information may also be required by other money service businesses such as currency exchanges. All having the effect of the financial institution acting as agent to and for the US Government. Fingerprints are not a requirement of the Patriot Act, and they are certainly not required by all financial institutions – so if your bank insists on this procedure, you may wish to take your business elsewhere.Click here to read the article in its entirety.

If you believe in the seamless mutuality of government and big business — come out and say it! There is a dictionary definition, one word that describes that toxic blend.

You’re a fascist — get them to print you a t-shirt with “fascist” on it!

What else is this but fascism?

Did you see Mark Klein on this newscast last November?

Mark Klein was the AT&T Whistleblower, the one who explained in the placid, dull terms of your local neighborhood I-T desk, how he personally attached all AT&T circuits — everything — carrying every one of your phone calls, every one of your e-mails, every bit of your web browsing into a secure room, room number 641-A at the Folsom Street facility in San Francisco, where it was all copied so the government could look at it.

Not some of it, not just the international part of it, certainly not just the stuff some spy — a spy both patriotic and telepathic — might able to divine had been sent or spoken by — or to — a terrorist.

Everything!...As Senator Kennedy reminded us in December:

“The President has said that American lives will be sacrificed if Congress does not change FISA. But he has also said that he will veto any FISA bill that does not grant retroactive immunity. No immunity, no FISA bill. So if we take the President at his word, he’s willing to let Americans die to protect the phone companies.”

...

We will not fear any longer.

We will not fear the international terrorists — we will thwart them.

We will not fear the recognition of the manipulation of our yearning for safety — we will call it what it is: terrorism.

We will not fear identifying the vulgar hypocrites in our government — we will name them.
And we will not fear George W. Bush.

If you felt a tremor in the force yesterday that's because Democrats in the House stood up to White House fearmongering on the "Protect America Act" and its inclusion of retroactive immunity for telecom companies! That's right, as I posted early yesterday, the Democrats essentially had three choices, give Bush what he wants (which is everything), wait and try to pass their version of the bill again (that doesn't include retroactive immunity), or just let the constitution smashing piece of legislation expire.

The Democrats actually went with perhaps the politically riskiest, but certainly best option of all: let it expire! Remember, the Bush administration's arguments for passing the law in the first place were "based on partial, calculated leaks of secret court rulings. If the Republicans want the Protect America Act so badly, force them to negotiate on that separately from retroactive immunity--the issues really aren't linked."

The House broke for a week’s recess Thursday without renewing terrorist surveillance authority demanded by President Bush, leading him to warn of risky intelligence gaps while Democrats accused him of reckless fear mongering....“The president knows full well that he has all the authority he needs to protect the American people,” said Ms. Pelosi, who then referred to President Franklin D. Roosevelt’s admonition about fearing only fear itself. “President Bush tells the American people that he has nothing to offer but fear, and I’m afraid that his fear-mongering of this bill is not constructive.”

The decision by the House Democratic leadership to let the law lapse is the greatest challenge to Mr. Bush on a major national security issue since the Democrats took control of Congress last year....The main sticking point is a provision in the Senate bill that provides legal immunity for telecommunications companies that, at the Bush administration’s request, cooperated in providing private data after the Sept. 11, 2001, attacks. Many House Democrats oppose that immunity.

Surveillance efforts will not cease when the law lapses. Administration intelligence officials said agencies would be able to continue eavesdropping on targets that have already been approved for a year after the initial authorization. But they said any new targets would have to go through the more burdensome standards in place before last August, which would require that they establish probable cause that an international target is connected to a terrorist group.

It appears we'll have a few weeks before this issue comes up again to really pressure House members - and Senators for that matter - to put the people, the constitution, and our right to privacy above the need to protect big business from crimes against their customers.

Thursday, February 14, 2008

As many may know, Senator Joe Simitian's bill - SB 362 - that banned the forced subcutaneous implanting of RFID's by an employer in employees passed the California state legislature and was signed into law last year.

David Holtzman writes:While it's easy to reject the notion of placing little ID chips inside humans as an ominous Orwellian invasion of individual rights, I suspect it's inevitable that in my lifetime we will all have some kind of computerized implants. My problem is not with the technology, known as chipping, or with the companies that sell it. My concern stems from my lack of trust in institutions and lack of belief that the technology will be forever restricted to beneficial, socially acceptable uses. ...Privacy. Advocates of chipping often downplay privacy and security worries by stressing the chips merely contain a number rather than any actual personal information. However, that may be dangerous enough. A centralized numeric database storing information on a significant number of Americans begins to look a lot like a national ID card. But unlike an ID card safely stowed in a wallet, the numbers on these chips can potentially be read wirelessly by someone standing near you with an inexpensive handheld reader. Legislative attempts to establish a national ID, such as the REAL ID Act, have proven to be highly controversial. It would be a shame to have human chipping effectively short-circuit that debate and create a de facto national identification system....Scott Silverman, VeriChip's chairman, has proposed mandatory chipping of guest workers and immigrants. A hospital in Ontario plans to implant the chips in babies, and the U.S. Army is mulling a requirement for enlisted personnel.The elderly, immigrants, babies, low-ranking soldiers…these are not exactly the most powerful segments of U.S. society. Compare this to new technologies such as laser eye surgery and non-invasive heart procedures, where the wealthy and powerful typically benefit well before the lower rungs of the social ladder. I am inherently distrustful of technologies that start deploymentat the bottom of the power pyramid....But who knows which agencies might be given access to the database down the road as part of new policy initiatives. Congressmen are notorious for passing legislation requiring the government to exploit existing databases for new endeavors, such as targeting deadbeat dads or delinquent student loan holders through the IRS tax refund system.

I can think of countless initiatives that could be launched to make use of a sufficiently large group of chipped people: a universal college student ID system; chip readers in cars that would block drivers with unpaid parking tickets from using their vehicles; tracking people with a history of emotional disturbances; court-ordered chipping tied to domestic restraining orders; government monitoring of people found to have a high-risk profile through computer profiling; outfitting firearms with a radio-frequency identification (RFID) reader and requiring gun owners to be chipped to fire their weapon (like existing thumbprint locks)....

As citizens, we need legal safeguards ensuring that any use of this technology adheres to publicly acceptable guidelines. At a minimum, any chipping must be truly voluntary rather than mandatory. But I am afraid this will be almost impossible to ensure without legislation such as that enacted by Wisconsin last year, barring all mandatory human chipping. Any potential privacy-busting technology such as this one must be introduced with substantive protections that far exceed ambiguous corporate pledges that boil down to "Trust me." With all due respect, I'm afraid that I don't.

To the House's credit, they have already tried to grant a temporary extension for the Orwellian "Protect America Act" (as in protect the White House and the telecom companies), that DOES NOT include retroactive immunity for the telecom companies that sold out the American publics' privacy.

Unfortunately, a similar alliance in the House as was built in the Senate, won the day: nearly every fearmongering Republican, along with a small minority of Democrat cowards.

Republicans in the U.S. House of Representatives have scuttled an attempt to grant a temporary extension to a controversial wiretap law--that did not include retroactive immunity for telecommunications companies...By a 191-229 vote on Wednesday afternoon...The law--which Republicans say is necessary to allow interception of communications that transit the United States--is scheduled to expire on Saturday.

...

This leads to an unusual situation in which the House Democratic leadership, which has objected to retroactive immunity without learning more about what kinds of activities it would shield, has a few options:

1. Give Bush what he wants. This would mean admitting defeat and approving the immunity shield that the Senate already did on Tuesday.

2. Wait and try again. If the Republicans insist that this bill is necessary (which is hardly clear--we've survived for decades without it), the Democrats could hold another temporary renewal vote on Friday at 11 p.m. and dare the GOP to block this supposedly vital legislation a second time.

3. Let the Protect America Act expire. This is politically risky in an election year, of course, but the Bush administration's arguments for passing the law in the first place were based on partial, calculated leaks of secret court rulings. If the Republicans want the Protect America Act so badly, force them to negotiate on that separately from retroactive immunity--the issues really aren't linked.

Wednesday, February 13, 2008

I know I've been focusing a lot of attention on the FISA debate that's been going on in the Senate recently, but I don't really see a choice in the matter. There simply is no more important an issue for those that care about privacy, the constitution and the rule of law.

For this reason, I must say I feel a deep sense of betrayal, even sadness, by the Senate's passage of a FISA bill that not only gives telecommunication companies retroactive immunity for their crimes, but also codifies and approves of the eavesdropping and wiretapping of American citizens.

I should mentione however, that this fight is not over. The House's far superior "Restore Act" still needs to be reconciled with the constitution destroying Senate bill passed yesterday.

Let me begin by posting some clips from the New York Times coverage of this tragic vote, and then I'll give you an opportunity to take actionby urging the House of Representatives to stop retroactive immunity in conference by standing strong for their version of wiretapping reform legislation.

The New York Times reports:Finally, the Senate voted 68 to 29 to approve legislation that the White House had been pushing for months. Mr. Bush hailed the vote and urged the House to move quickly in following the Senate’s lead. The outcome in the Senate amounted, in effect, to a broader proxy vote in support of Mr. Bush’s wiretapping program. The wide-ranging debate before the final vote presaged discussion that will play out this year in the presidential and Congressional elections on other issues testing the president’s wartime authority, including secret detentions, torture and Iraq war financing.

...

The bill, which had the strong backing of the White House, allows the government to eavesdrop on large bundles of foreign-based communications on its own authority so long as Americans are not the targets. A secret intelligence court, which traditionally has issued individual warrants before wiretapping began, would review the procedures set up by the executive branch only after the fact to determine whether there were abuses involving Americans.

“This is a dramatic restructuring” of surveillance law, said Michael Sussmann, a former Justice Department intelligence lawyer who represents several telecommunication companies. “And the thing that’s so dramatic about this is that you’ve removed the court review. There may be some checks after the fact, but the administration is picking the targets.”

The Senate plan also adds one provision considered critical by the White House: shielding phone companies from any legal liability for their roles in the eavesdropping program approved by Mr. Bush after the Sept. 11 attacks. The program allowed the National Security Agency to eavesdrop without warrants on the international communications of Americans suspected of having ties to Al Qaeda. AT&T and other major phone companies are facing some 40 lawsuits from customers who claim their actions were illegal....Democratic opponents, led by Senators Russ Feingold of Wisconsin and Christopher J. Dodd of Connecticut, argued that the plan effectively rewarded phone companies by providing them with legal insulation for actions that violated longstanding law and their own privacy obligations to their customers.

...

Mr. Dodd, who spoke on the floor for more than 20 hours in recent weeks in an effort to stall the bill, said future generations would view the vote as a test of whether the country heeds “the rule of law or the rule of men.” But with Democrats splintered, Mr. Dodd acknowledged that the national security argument had won the day. “Unfortunately, those who are advocating this notion that you have to give up liberties to be more secure are apparently prevailing,” he said. “They’re convincing people that we’re at risk either politically, or at risk as a nation.”i would be remiss to not include the ACLU's reaction to the vote:

"The Senate had multiple opportunities to improve this atrocious bill and failed at every turn," said Caroline Fredrickson, director of the ACLU Washington Legislative Office. "Several amendments were offered to increase privacy protections, with many of them allowing for warrantless surveillance during emergency situations. It’s stunning that senators wouldn’t put their support behind amendments so fundamentally balanced. Protecting Americans' communications from pervasive and ill-defined surveillance goes to the very heart of the Fourth Amendment. Unfortunately, the Senate seemed determined to pass the least constitutional FISA bill possible."

...

"Senators Feingold and Dodd deserve kudos for their attempts to help make this awful Senate bill more palatable," said Fredrickson. "Though many questions still remain unanswered about years of domestic spying, the Senate has effectively sealed the vault by handing over immunity to the phone companies. The over forty legitimate lawsuits currently pending against them may end before they’ve begun. It’s a fact that Americans had their rights violated and now, by closing the courtroom door, they may be left with no recourse. The Senate failed us with this vote. It is a major step backward both for Americans’ privacy and the Constitution."TAKE ACTION!

With that, I want to give yet another plea to let your representatives here from you! Here's an action alert from Working Assets:

Last fall, the House passed the RESTORE Act, a FISA reform bill that included solid oversight of domestic surveillance and did not contain retroactive immunity.

Now, because the House bill is so different from the legislation that the Senate just passed, there will be a conference between leaders of the House and the Senate to decide what legislation both bodies will put forward for the President to sign.

We need Speaker Nancy Pelosi and House Majority Leader Steny Hoyer to stand tall and ensure that the conference committee reports legislation that doesn't include retroactive immunity.

Tuesday, February 12, 2008

I also thought this quote by constitutional law professor, Glenn Greenwald says it best:

‘The Bush administration will be gone in eleven months, but in the absence of some meaning accountability all of this will remain. If these theories remain undisturbed and unchallenged. And all of these crimes go un-investigated and unpunished, that will have a profound impact on changing our national character and further transforming the type of country we are.’Unfortunately, that's all the good news I have to report,as Greenwald also wrote up an articleon what we can expect to transpire in the Senate today, and its not good. Telecom companies will get immunity...as 12 Democrats joined all Republicans to pass the bill.

Greenwald writes:

The Senate today — led by Jay Rockefeller, enabled by Harry Reid, and with the active support of at least 12 (and probably more) Democrats, in conjunction with an as-always lockstep GOP caucus — will vote to legalize warrantless spying on the telephone calls and emails of Americans, and will also provide full retroactive amnesty to lawbreaking telecoms, thus forever putting an end to any efforts to investigate and obtain a judicial ruling regarding the Bush administration’s years-long illegal spying programs aimed at Americans. The long, hard efforts by AT&T, Verizon and their all-star, bipartisan cast of lobbyists to grease the wheels of the Senate — led by former Bush 41 Attorney General William Barr and former Clinton Deputy Attorney General Jamie Gorelick — are about to pay huge dividends, as such noble efforts invariably do with our political establishment....How far we’ve come — really: disgracefully tumbled — from the days of the Church Committee, which aggressively uncovered surveillance abuses and then drafted legislation to outlaw them and prevent them from ever occurring again. It is, of course, precisely those post-Watergate laws which the Bush administration and their telecom conspirators purposely violated, and for which they are about to receive permanent, lawless protection....

From Frank Church and the bipartisan oversight protections of the post-Watergate abuses in the mid-1970s to Jay Rockefeller, Dick Cheney, legalized warrantless eavesdropping and retroactive telecom amnesty in 2008 — that vivid collapse into the sewer illustrates as potently as anything could what has happened to this country over the last eight years.

Monday, February 11, 2008

As you may know, no agreement was reached on the issue of Telecom Immunity - or the FISA Law in general - in the Senate last week. While that in itself isn't bad news persay, ALL signs are pointing in the same direction: Americans' right to privacy is going to be sold down the river in favor of protecting the same corporations that cooperated with our government's grossly unlawful spying program.

The New York Times - the paper that blew the lid off the illegal wiretapping program in the first place - wrote another excellent editorialdetailing the "debate" going on in the Senate over an issue that can't seem to even make the television news cycle (or a debate!) even though it represents a direct assault on the fundamental principles laid out in our Constitution.

The Editorial reads:

After the 2001 terrorist attacks, the president decided to ignore the Foreign Intelligence Surveillance Act, or FISA, and authorized wiretaps without a warrant on electronic communications between people in the United States and people abroad. Administration lawyers ginned up a legal justification and then asked communications companies for vast amounts of data. According to Mr. Rockefeller, the companies were "sent letters, all of which stated that the relevant activities had been authorized by the president" and that the attorney general - then John Ashcroft - decided the activity was lawful. The legal justification remains secret, but we suspect it was based on the finely developed theory that the president does not have to obey the law, and not on any legitimate interpretation of federal statutes. When Mr. Bush started his spying program, FISA allowed warrantless eavesdropping for up to a year if the president certified that it was directed at a foreign power, or the agent of a foreign power, and there was no real chance that communications involving United States citizens or residents would be caught up. As we now know, the surveillance included Americans and there was no "foreign power" involved....The telecoms, which are facing about 40 pending lawsuits, believe they are protected by a separate law that says companies that give communications data to the government cannot be sued for doing so if they were obeying a warrant - or a certification from the attorney general that a warrant was not needed - and all federal statutes were being obeyed.

To defend themselves, the companies must be able to show they cooperated and produce that certification. But the White House does not want the public to see the documents, since it seems clear that the legal requirements were not met. It is invoking the state secrets privilege - saying that as a matter of national security, it will not confirm that any company cooperated with the wiretapping or permit the documents to be disclosed in court.

So Mr. Rockefeller and other senators want to give the companies immunity even if the administration never admits they were involved. This is short-circuiting the legal system. If it is approved, we will then have to hope that the next president will be willing to reveal the truth.

Mr. Rockefeller argues that companies might balk at future warrantless spying programs. Imagine that! So there you have it...our elected representatives are simultaneously arguing that illegally wiretapping American's is unconstitutional and deplorable, but those that participated in creating this program shouldn't be held accountable for what they did because that might deter them from doing it again. Let that sink in for a minute...

But that's not all. This kind of tortured logic doesn't hold a candle to the administration's recent head spinning and constitution squashing position. See if you can follow: Bush argues that if the Senate doesn't quickly pass the FISA bill Americans lives are being put in danger - and in the same breath threatens to veto any bill without telecom immunity in it. Everybody get that? Bush is saying he will gladly put American lives at risk in order to protect the telecom industry from being held accountable for their crimes!

Friday, February 8, 2008

The California State Senate has recently passed two measures that gives consumers that were victims of a data breach or identity theft additional resources and rights not currently required by California law. If passed by the state assembly and enacted into law, these two bills would require that consumers receive more extensive notification concerning data breaches, create a central reporting center for breaches and allow local prosecution of identity theft. This comes at a time when data breaches are reaching record numbers and identity theft is on the rise. SC Magazine Reports:

The State Senate in California has passed by wide margins measures that require more extensive notification to consumers of data breaches, establish a central reporting center for breaches, and permit local prosecution of identity theft.

The bills, SB364 (privacy) and SB612 (ID theft prosecution), passed by 30-7 and 40-0 votes, respectively. Both measures were authored by State Sen. Joe Simitian, who sponsored SB1386, California's original breach notification law in 2002.

SB364 would require that consumers receive a clear, informative notification letter when their personal data kept by a business or public agency has been stolen. It also requires the state to establish a central reporting site to catalog security breaches.

"No one likes to get the news that information about them has been stolen," Simitian said in a prepared statement. "But when it happens, people are entitled to get a notice they can understand, and that helps them decide what to do next."

According to SB364, a security breach notification must contain the toll-free telephone numbers of the major credit reporting agencies - to allow consumers to put a hold on their credit - and the name and contact information of the business that has experienced a breach. The notice also must include the type of information, such as names and Social Security numbers, that might have been taken; the date of the breach and of its discovery; a general description of the breach; and the estimated number of persons affected.

California's existing law requires that businesses or government agencies which have lost personal data notify the individuals whose information has been compromised. More than 40 states have adopted similar legislation, based primarily on the California measure.

SB364's mandates are based on recommendations from a study by the Samuelson Law, Technology & Public Policy Clinic at the University of California at Berkeley School of Law. That study called for standardized notices and the formation of a central clearing house for security breach information.

The second law, SB612, would allow identity theft to be prosecuted in the county in which the victim lives, which is not always the case now, according to Simitan's office. The current California law permits prosecution in the county in which the theft occurred or the county in which the information was illegally used, both of which may be hundreds of miles away from the victim's home.

"Too often, identity thieves can act with impunity simply because their victims live in a remote community," Simitian said. Although the current law permits prosecution on behalf of victims anywhere, "expecting a local district attorney to prosecute a case when the victim or victims are all at the other end of the state is simply unrealistic," he said.

If someone steals your wallet or your car, the existing system makes sense," Simitian added. "But computer crime ignores geography. Suppose a thief sitting at a computer in San Diego uses a ruse to obtain the personal identification information of a San Jose man, then swipes money from his online brokerage. The law says the crime occurred in San Diego and, unless a San Diego prosecutor takes up the case, the San Jose victim is out of luck."

Thursday, February 7, 2008

As opposition across the country continues to mount against the Bush Administration's REAL ID Act one would think they may be reticent to force states to shoulder even more of the financial burden for the invasive program? But then, that would be using logic and common sense, not trademark characteristics of this White House.

The ACLU has taken a look at the recent White House budget and done some REAL ID number crunching for us...and let's just say it isn't pretty:

The President’s budget proposal requests only $110 million in federal grant money toward the states for Real ID implementation, and even that money, if actually appropriated by Congress, will be split among Real ID and other programs.

...

Even combined with about $80 million in federal dollars already in place to pay for Real ID implementation, the funding would fall far short of the projected cost – estimated by the Department of Homeland Security to fall between four and 23 billion dollars – for the constitutionally suspect driver’s license program. States are left to fend for themselves to comply with the unfair, unworkable demands of the Real ID Act. The National Conference of State Legislatures, a bipartisan coalition of state legislators, expressed outrage at the paltry funding request, calling it the "most egregious example" of unfunded federal mandates....Seventeen states have rejected Real ID, in large part because of privacy and civil liberties concerns, but also because the federal government is not contributing enough to the program’s enormous cost. Under Real ID, every American would be required to have a federally approved ID in order to participate in basic aspects of American life, and everyone’s personal information would be stored in a national database available to officials in all levels of government....

"We still haven’t gotten the truth about the funding for Real ID. These kinds of false promises don’t help build our confidence in DHS, which appears bent on cataloging every American’s personal data and making states pay for it. They haven’t fixed Real ID’s civil liberties problems, and they haven't shown us the money for Real ID – they have only left unresolved significant threats to our privacy," said Tim Sparapani, ACLU senior legislative counsel.

Tuesday, February 5, 2008

It's been a good week for Senator Joe Simitian who just had his second piece of privacy protection legislation, SB 612,pass the Senate and move on to the Assembly. The bill would allow a victim of identity theft to prosecute the accused in the county where the victim resides. Common sense would dictate that victims should have such a right already, but the law currently doesn't quite see it this way. The good news is that every member of the State Senate agreed with our logic and voted for the bill - which passed by an overwhelming count of 40-0. When your identity is stolen, its already stressful enough worrying about protecting your bank accounts, personal identification numbers and other information that could lead to significant loss. Clearly, the law should allow the prosecution to file charges in the county where the victim lives...which is now one step closer to becoming a reality.

California State Senator Joe Simitian-- a Democrat representing the tech-heavy Palo Alto constituency -- is back on the war path fighting for consumer rights relating to the use of information technology, in this case seeking stronger laws regarding data breach reporting guidelines and promoting new legal tools for use in punishing identity thieves.

"Too often identity thieves can act with impunity simply because their victims live in a remote community, expecting a local district attorney to prosecute a case when the victim or victims are all at the other end of the state is simply unrealistic," Simitian said in a statement.

SB 612 would permit, but not require, prosecution in the county where the victim resides, with a judge eventually deciding where to hold the trial.

Experts have also endorsed that piece of legislation.

"Senator Simitian's legislation puts some teeth into our existing laws regarding identity theft. Without prosecution, there's no deterrent," Lenny Goldberg, a lobbyist for the non-profit Privacy Rights Clearinghouse, said in a statement.

In another article on CBS 5 news, Senator Simitian commented that, "Local prosecutors are likely to be more aggressive on behalf of local victims. The existing system actually favors the criminal rather than the victim of identity theft."

Monday, February 4, 2008

As has been the unstoppable and insatiable trend of the last 30 years, the internet now too is consolidating at a breakneck speed. I have talked in the past here about the Google/Doubleclick merger request, and the privacy implications of such a deal (the hope is the European Commission will stop that one), and now, unfortunately, we've got an even bigger concern on our hands: Yahoo meet Microsoft...Microsoft meet Yahoo...gee, why would anyone have a problem with this privacy eviscerating and consumer stomping merger?

"Today's proposed acquisition by Microsoft of Yahoo, if consummated, will create a powerful interactive Internet duopoly in online media," said Jeff Chester, executive director of the Center for Digital Democracy, in a statement e-mailed to reporters. "Google and Microsoft will have inordinate power to shape the online communications marketplace, including journalism, entertainment and advertising. In an era when individuals are increasingly conducting their personal, social and political lives online, the corporations that control the digital experience will have a far-reaching influence over every aspect of society."...Among other things, Microsoft CEO Steve Balmer boldly stated, the proposed deal would make it possible for Microsoft to conduct more effective behavioral targeting, long the Holy Grail of advertisers in general, and particularly in online advertising.

It is precisely that prospect which concerns consumer advocates. Chester said the refusal of the Federal Trade Commission and Congress to impose reasonable restrictions on the Google acquisition of DoubleClick led directly to Friday's bid by Microsoft.

"The proposed deal," Chester argued, "underscores the need for both the FTC and the Congress to enact policies that will protect consumer data online. They are already at risk. In an online era dominated by digital behemoths, consumers will be more vulnerable to having their personal information become the property of the GoogleClick's and Microhoo's!"The Washington Post covers the storyfrom a slightly different angle - as in - can it be stopped by the US or the European Union?

A major factor weighing in Microsoft Corp.'s favor, analysts said, is Google Inc.'s dominance in the online search and advertising businesses _ the two areas regulators are likely to focus on when weighing market power issues raised by the nearly $45 billion unsolicited bid.

...

The Federal Trade Commission in December approved Google's $3.1 billion purchase of online advertising company DoubleClick Inc., but European Union regulators are still examining the deal and Google has said it won't go forward without their blessing. (Microsoft lobbied hard against the deal, arguing that it would give Google a dominant position in the online ad market.)

...

"Despite the appearance of unlimited choice in the new media environment, people's online activities will be tracked and shaped by a very small number of companies who care far more about surveillance and targeted advertising than the public interest," Turow said.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, agreed and said "the problem of profiling Internet users will become more severe if mergers go forward without appropriate privacy safeguards."

...

Sen. Herb Kohl, D-Wis., chairman of the Senate antitrust subcommittee, said the same issues that prompted lawmakers to review the Google-DoubleClick deal exist in a potential Microsoft-Yahoo combination, including examining how it affects consumers, advertisers and businesses "who increasingly use the Internet for their news, commerce and entertainment." If Yahoo accepts Microsoft's offer, the subcommittee expects to hold hearings to "explore the competitive and privacy implications of the deal," Kohl said.

Friday, February 1, 2008

Watch thisscathing and courageous rebuke of President Bush and "his lies about the pending FISA legislation and fear tactics during his final State of the Union address" by Keith Olbermann, host of MSNBC's "Countdown". It couldn't have come at a more critical time, as the mainstream media seems intent to not only largely ignore the debate, but fail to report key facts and information when they do!

Finally, someone in the media dares point out that inconvenient truth regarding the President's threat to veto a bill he says is critical to the safety of Americans if it doesn't include retroactive immunity for the telecomm companies that participated in the governments illegal wiretapping program. Olbermann begs that all important question: "If this bill is so important to the safety of Americans wouldn't vetoing it endanger us? And, doesn't that mean that the President is putting the immunity of lawbreaking, multi-billion corporations ahead of the safety of American citizens?"

Here are some of the highlights (but it doesn't do justice to watching it!):

...a presidency of hypocrisy — an administration of exploitation — a labyrinth of leadership — in which every vital fact is a puzzle inside a riddle wrapped in an enigma hidden under a claim of executive privilege supervised by an idiot — this one… is surprisingly easy.

President Bush has put protecting the telecom giants from the laws… ahead of protecting you from the terrorists.

He has demanded an extension of the FISA law — the Foreign Intelligence Surveillance Act — but only an extension that includes retroactive immunity for the telecoms who helped him spy on you.…

It’s bad enough, sir, that you are demanding an ex post facto law which would clear the phone giants from responsibility for their systematic, aggressive, and blatant collaboration with your illegal and unjustified spying on Americans, under the flimsy guise of looking for any terrorists stupid enough to make a collect call or send a mass e-mail.

But when you then demanded again, during the State of the Union address, that Congress retroactively clear the Verizons and the AT&T’s, you wouldn’t even confirm that they actually did anything for which they deserved to be cleared!

“The Congress must pass liability protection for companies believed to have assisted in the efforts to defend America.”

Believed?

Don’t you know?

Does the endless hair-splitting of your presidential fine print, extend even here?

…

Sorry, Mr. Bush. The eavesdropping provisions of FISA have obviously had no impact on counter-terrorism, and there is no current or perceived terrorist threat, the thwarting of which could hinge on an e-mail or a phone call going through room 641-A at AT&T in San Francisco next week or next month.

Because if there were, Mr. Bush, and you were to, by your own hand, veto an extension of this eavesdropping, and some terrorist attack were to follow, you would not merely be guilty of siding with the terrorists, you would not merely be guilty of prioritizing the telecoms over the people, you would not merely be guilty of stupidity, you would not merely be guilty of treason… but you would be personally, and eternally, responsible.

It is rare indeed that a mainstream television news anchor will so strongly, and accurately, take on the abuses and crimes of both corporate interests as well as government crimes and deceit - particularly when something as critical as our right to privacy, the constitution, and the rule of law are under such a withering assault. Let's hope EVERY member of Congress watches this editorial, and finds the courage to match Olbermann's.

Some good news to report today on the RFID regulation front. SB 31 (Senator Simitian) - a bill to outlaw the "skimming" of RFID tags - overwhelmingly passed the California state senate by a vote of 36 to 3. At first glance you may ask, "Isn't this a no brainer? OF COURSE stealing someones personal information off an RFID tag should be illegal?" You would be correct in this assumption, hence the importance of this bill...as unbelievably there currently is no law protecting you from this kind of "theft".

"The problem is real," he (Simitian) said, while announcing passage of his bill. "The card I use to access the State Capitol was skimmed and cloned by a hacker in a split second. Minutes later, using that clone of my card, he was able to walk right into the Capitol through a 'secure' and locked entrance." Simitian said personal information on tags used for drivers' licenses and student IDs should be protected the same way other personal property is protected. "If you've been mugged, or even had your pocket picked, you know you've been a victim," he said. "You can take steps to protect yourself against identity theft. But if your personal information has been 'skimmed' without your knowledge or consent, you're completely vulnerable. Right now if someone steals your ID, it's a crime; but if they steal the information on your ID by 'skimming,' it's not."

Simitian said the problem is exacerbated by the fact that millions of IDs and access cards carry unlimited information and there aren't any rules about including technology to protect privacy for privately-issued cards.

"RFID technology is not in and of itself the issue," he said. "RFID is a minor miracle with all sorts of good uses. But it's easier than ever to steal someone's personal information with an unauthorized reader -- technology that is readily available, off-the-shelf, and surprisingly inexpensive." Simitian's bill makes exceptions for inadvertent scanning. It also allows emergency medical workers and law enforcement agencies to scan cards without permission, while trying to provide care or investigate crimes -- as long as investigators have obtained a search warrant.

PRIVACY REVOLT! tackles the issues at the intersection of civil liberties and technology, with news and commentary on government and corporate surveillance, identity theft, data brokers, tracking devices, and the security of consumers' financial, medical, and phone records.

Privacy Bill List

We provide tracking and analysis of the most important privacy bills moving through the California state legislature.